Harrison Kisaka -vs- Faulu Microfinance Bank Limited

Cases Detail

Cases

Harrison Kisaka -vs- Faulu Microfinance Bank Limited

Country: Kenya
Court: Office of the Data Protection Commissioner
Status: Determination
Tags: data protection,privacy breaches,right to access personal data,data subject rights

Case Summary

On 17th April 2023, the Office of the Data Protection Commissioner (ODPC) received a complaint from one Harrison Kisaka regarding the negative use of his personal data, which was used to discriminate him from accessing a job opportunity. In his complaint, Harrison sought access to the said personal data, which further led to his disqualification from the employment opportunity. Before the complaint, the facts ensued: the complainant, Harrison Kisaka, applied for a position at Faulu Microfinance Bank Limited and consented to background checks. After being selected for the position, an adverse report from the background check led to the revocation of his appointment. Kisaka requested access to the adverse report but was denied by the bank, citing it as private information. The bank claimed that the adverse report was based on non-disclosure of ongoing criminal proceedings against Kisaka. Kisaka alleged that the processed data was used against him unfairly and sought access to it for resolution. The bank responded by detailing the background check process and the reasons for the adverse report. The case revolves around Kisaka's right to access his personal data processed by the bank and the bank's handling of the adverse report in relation to his employment opportunity. 

Issues for determination 

The main issue for determination in this case is, 

  1. Whether there was any infringement of Harrison Kisaka's rights as a data subject as provided in the Data Protection Act, 2019.
  2. Specifically, the key question is whether the adverse report generated from the background checks conducted by Faulu Microfinance Bank Limited constitutes Kisaka's personal data.
  3. Assessing whether the bank's refusal to provide Kisaka with a copy of the processed data and the source, as specified in the consent form he signed, violated his rights under the Data Protection Act.
  4. The case also raises questions about the bank's handling of Kisaka's personal data, including the reasons for the adverse report and the transparency of the background check process. 

Determination

The Data Commissioner ruled in favor of the Complainant, Harrison Kisaka. The Data Commissioner determined that Harrison Kisaka's rights as a data subject were infringed under the Data Protection Act 2019. Specifically, his right to access as prescribed under the Data Protection Act. The Data Commissioner determined that Harrison’s right to access was violated following, 

●        Faulu Microfinance Bank Limited's refusal to provide Kisaka with access to the adverse report generated from the background checks which constituted his personal data. 

●       Denying Kisaka access to this information, the bank violated his rights as a data subject to access and rectify his personal data as outlined in the Data Protection Act, noting that, the adverse report generated from the background checks conducted by Faulu Microfinance Bank Limited constituted Harrison Kisaka's personal data based on the definitions of personal data provided in the Data Protection Act, 2019, which state that personal data includes any information relating to an identified or identifiable natural person. As the adverse report contained information specific to Kisaka and could be used to identify him, it fell within the definition of personal data under the Act.

●       Faulu Microfinance Bank Limited's refusal to provide Harrison Kisaka with a copy of the processed data and the source, as specified in his signed consent form. By denying Kisaka access to the adverse report resulting from the background checks, the bank failed to comply with Kisaka's right to access as outlined in the Data Protection Act. 

The Data Protection Commissioner determined that Faulu Microfinance Bank Limited did not appropriately handle Harrison Kisaka's personal data. The Commissioner found that the bank's handling of Kisaka's personal data, including the reasons for the adverse report and the transparency of the background check process, was lacking. Specifically, the Commissioner noted that the bank's refusal to provide Kisaka with a copy of the processed data and the source, as specified in his signed consent form, violated Kisaka's rights under the Data Protection Act. Additionally, the Commissioner highlighted that the bank's communication with Kisaka regarding the adverse report was not transparent and that Kisaka was not provided with sufficient information about the reasons for the adverse report. Overall, the Commissioner's determination indicated that Faulu Microfinance Bank Limited's handling of Kisaka's personal data did not meet the standards required by data protection regulations.

Upon the determination, the respondent, Faulu Bank, was required to send and accept the complainant's request within seven days, failure of which would lead to an enforcement notice being issued against the respondent. 

Analysis. 

In the case of Harrison Kisaka v. Faulu Microfinance Bank Limited, several critical issues related to the right to access, rights of the data subject, data handling, privacy policies, and duties of a data controller and processor were at the forefront of the determination made by the Data Protection Commissioner.

●       Rights of the Data Subject: The case underscored the rights of data subjects, like Kisaka, to have control over their personal data and to be informed about how their data is being processed. The determination recognized that data subjects have the right to understand the information held about them by data controllers and the reasons behind any adverse reports or decisions based on their personal data. The rights of data subjects are provided under section 26 of the Act, which include the right to be informed of the use of their data, the right to access the data, the right to object to the processing of the data, the right to correct any false and misleading data, and the right to delete any false or misleading data. The rights highlighted are more so only exercisable where the right to access is enforceable. This emphasizes the importance of respecting and upholding the rights of data subjects in data processing activities.

●       Right to Access: The Data Protection Commissioner's analysis highlighted Kisaka's fundamental right to access his personal data under the Data Protection Act, 2019. The Commissioner found that Faulu Microfinance Bank Limited infringed upon Kisaka's right to access his personal data by denying him the adverse report resulting from background checks. The right to access data is derived from the rights of data subjects as prescribed under section 26(b) of the Data Protection Act. A data subject can access their personal data in the data controller and processor's custody. This underscores the significance of data subjects being able to access and review their personal data to ensure transparency and accountability in data processing activities.

●       Data Handling: Faulu Microfinance Bank Limited's handling of Kisaka's personal data was a focal point in the case. The Commissioner found that the bank's handling of Kisaka's personal data, particularly concerning the adverse report and the transparency of the background check process, did not meet the required standards of data protection regulations. This highlights the significance of data controllers and processors handling personal data lawfully, fairly, and transparently to protect the privacy and rights of data subjects. This case specifically brought out the fact that background checks carried out by employers are subject to data processing and handling procedures and that employees have a right to the information on them as a result of the background check. Additionally, regulation 9(1) (e) provides that a data subject has the right to obtain information from the data controller or data processor. This further brings out data privacy considerations by design and default as provided under section 41 (3) (d) of the Data Protection Act, which requires the data controller or processor to implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose is processed, taking into consideration, among other things, accessibility. 

●       Privacy Policies: The case analysis also highlights the importance of having robust privacy policies in place to govern the handling of personal data. Privacy policies should outline how personal data is collected, processed, stored, and shared, as well as detail data subjects' rights regarding personal information. In this case, the Commissioner may have assessed Faulu Microfinance Bank Limited's privacy policies to determine compliance with data protection regulations and the adequacy of information provided to data subjects.

●       Duties of a Data Controller and Processor: The determination in this case highlighted the duties and responsibilities of data controllers and processors under data protection laws. Data controllers, such as Faulu Microfinance Bank Limited, have a duty to ensure that data subjects' rights are respected, including the right to access personal data. Data processors are also obligated to handle personal data in accordance with data protection regulations and maintain transparency in data processing activities. This is provided under sections Upholding these duties is essential for safeguarding personal data and ensuring compliance with data protection laws.

In conclusion, the case of Harrison Kisaka v. Faulu Microfinance Bank Limited serves as a significant illustration of the importance of respecting data subjects' rights, ensuring transparent data handling practices, implementing robust privacy policies, and fulfilling the duties and responsibilities of data controllers and processors in protecting personal data in accordance with data protection laws further noting that data collected during interview stages subject to any degree of background checks directly related to the data subject also falls under the purview of the data protection laws. 

Frequently Asked Questions

Frequently Asked Questions

A data subject is a natural person who is the subject of personal data held by a controller and who can be identified, directly or indirectly, through that personal data.

Each data subject has the right:

  • to be informed whether or not his or her personal data is being processed,
  • to request information about the processing, if data has been processed,
  • to be informed of the purpose of the processing and whether the data is being used in accordance with those purposes,
  • to be informed about third parties who receive personal data in Kenya and abroad,
  • to request the rectification of incomplete or inaccurate processed data, and
  • to request the erasure or destruction of personal data.

Data processing refers to any operation performed on personal data, either entirely or partially, automatically or manually. This includes collection, recording, storage, preservation, modification, revision, disclosure, transmission, assignment, making available, classification, or prevention of use.

Data controller: is a natural or legal person who determines the purposes and means of personal data processing and is accountable for the data filing system's establishment and administration.

Data processor: is a natural or legal person that processes personal data on the basis of a data controller's authorization.

The data controller or processor is required to provide the following information: the purpose of the processing, the recipients of the processed data and the purpose of the transfer, the method used to collect personal data and its legal basis, and any other rights granted to the data subject by law.

The principles governing data processing are as follows: it must be processed fairly and lawfully, it must be accurate and up to date, it must be processed for specified, explicit, and legitimate purposes, it must be adequate, relevant, and not excessive in relation to the purposes for which it is processed, and it must be retained for the duration specified by law or for no longer than is necessary for the subsequent processing.

A Data Protection Impact Assessment can be used to identify and mitigate high risks associated with data processing that may impact the rights and freedoms of data subjects.

A data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.